[dns-operations] correction about RRL leakage
glen wiley
glen.wiley at gmail.com
Wed Sep 26 17:55:20 UTC 2012
This seems like a degenerate case to me...there is a threshold below which
attacks
are no longer meaningful. For most name servers I suspect that an attack
is only
interesting at some rate well above 10's of qps.
As a name server operator not only am I not likely to see anything odd in
an attack
like that, I really don't have the time or inclination to care about
volumes in that
range.
On Wed, Sep 26, 2012 at 1:45 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
> On Monday I wrote:
>
> > I think the complaint is that DNS RRL with "slip 0" and the recommended
> > "responses-per-second 10" could send 10 DNS response/second to the
> > victim.
>
> That is not right because it is an unlikely worst case. It is true
> that a reflection DoS attack of "responses-per-second" identical queries
> per second for a long time would not be filtered by DNS RRL. However,
> as this section from the documentation tries to say, excess responses
> during one second suppress responses for subsequent "window" seconds:
>
> ] Rate limiting uses a "credit" or "token bucket" scheme. Each
> ] identical response has a conceptual account that is given
> ] responses-per-second, errors-per-second, and nxdomains-per-second
> ] credits every second. A DNS request triggering some desired
> ] response debits the account by one. Responses are not sent
> ] while the account is negative. The account cannot become more
> ] positive than the per-second limit or more negative than window
> ] times the per-second limit. A DNS client that sends requests
> ] that are not answered can penalized for up to window seconds
> ] (default 15).
>
> For example, given "slip 0; responses-per-second 10;" and an attack
> of at least 20 forged requests/second, DNS RRL will allow a total 10
> responses for the entire duration of the attack. Those 10 responses
> will be for the first 10 requests. The later requests will not be
> answered.
>
> Of course, an attacker could send 10 or fewer requests/second and have
> all of them answered. That kind of attack is hard to handle because
> it can be undetectable by the reflecting DNS server. For an extreme
> example, an attacker with a list of 1,000,000 open resolvers could
> send each open resolver one forged request every 10 seconds for
> <random>.isc.org and send the victim about 0.5 Gbit/sec. None of the
> reflectors is likely to see anything odd about one stray NXDOMAIN every
> 10 seconds.
>
>
> Vernon Schryver vjs at rhyolite.com
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
--
Glen Wiley
"A designer knows he has achieved perfection not when there is nothing left
to add, but when there is nothing left to take away." - Antoine de
Saint-Exupery
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120926/1f1b6e5b/attachment.html>
More information about the dns-operations
mailing list